Outlook Web Access Script Execution Vulnerability in Microsoft Exchange
A vulnerability exists in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA) service that lets an attacker take any action on the user’s mailbox that the user can take, including deleting, moving and sending messages.
December 6, 2001
Reported December 6, 2001, byMicrosoft.
VERSIONS AFFECTED
Microsoft Exchange Server 5.5 using Outlook Web Access
DESCRIPTION
Avulnerability exists in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA)service that lets an attacker take any action on the user’s mailbox that theuser can take, including deleting, moving and sending messages. Thevulnerability results from a problem in the way that OWA handles inline scriptmessages used in conjunction with Internet Explorer (IE). If the attacker usesOWA to open an HTML message containing a specially formed script, the scriptexecutes under the user’s security context.
VENDOR RESPONSE
Thevendor, Microsoft, has released SecurityBulletin MS01-057to address this vulnerability and recommends that affected users apply the patchprovided at this URL.
CREDIT
Discovered by Lex Arquetteof WhiteHat Security.
Read more about:
MicrosoftAbout the Author
You May Also Like